Modern Block Ciphers

and Data Encryption Standard

modern block ciphers - one of the most widely
used types of cryptographic algorithms
provide secrecy /authentication services
focus on DES (Data Encryption Standard)
Illustration of block cipher design principles

BITS Pilani, Hyderabad Campus

Comparison with
Stream ciphers
 A stream cipher is one that encrypts a digital data
stream one bit or one byte at a time
 Examples of classical stream ciphers are the autokeyed
Vigenère cipher and the Vernam cipher. In the ideal
case, a one-time pad version of the Vernam cipher would
be used, in which the keystream ki is as long as the
plaintext bit stream pi
 If the cryptographic keystream is random, then this
cipher is unbreakable by any means other than acquiring
the keystream.
 However, the keystream must be provided to both users
in advance via some independent and secure channel.

BITS Pilani, Hyderabad Campus

Block ciphers

 A block cipher is one in which a block of plaintext is

treated as a whole and used to produce a ciphertext
block of equal length. Typically, a block size of 64 or 128
bits is used
 As with a stream cipher, the two users share a
symmetric encryption key. Using some of the modes of
operation a block cipher can be used to achieve the
same effect as a stream cipher

BITS Pilani, Hyderabad Campus

 Block vs Stream Ciphers
block ciphers process messages in blocks,
each of which is then en/decrypted
like a substitution on very big characters
64-bits or more
stream ciphers process messages a bit or byte
at a time when en/decrypting
many current ciphers are block ciphers
broader range of applications

BITS Pilani, Hyderabad Campus

Block vs Stream Ciphers

BITS Pilani, Hyderabad Campus

 Block Cipher Principles
most symmetric block ciphers are based on a Feistel
Cipher Structure
A well defined structure is needed since we must be
able to decrypt ciphertext to recover messages
efficiently
block ciphers look like an extremely large
substitution
We would need table of 264 entries for a 64-bit block
instead create from smaller building blocks using
idea of a product cipher

BITS Pilani, Hyderabad Campus

Details

 Most symmetric block encryption algorithms in current use are

based on a structure referred to as a Feistel block cipher
 A block cipher operates on a plaintext block of n bits to produce a
ciphertext block of n bits
 An arbitrary reversible substitution cipher for a large block size is not
practical, however, from an implementation and performance point
of view
 In general, for an n-bit general substitution block cipher, the size of
the key is n x 2n
 For a 64-bit block, which is a desirable length to thwart statistical
attacks, the key size is 64 x 264 = 270 = 1021 bits
 In considering these difficulties, Feistel points out that what is
needed is an approximation to the ideal block cipher system for
large n, built up out of components that are easily realizable

BITS Pilani, Hyderabad Campus

Strength of block cipher

 A block cipher operates on a plaintext block of n bits to

produce a ciphertext block of n bits. There are 2n
possible different plaintext blocks and, for the encryption
to be reversible (i.e., for decryption to be possible), each
must produce a unique ciphertext block. Such a
transformation is called reversible, or nonsingular
 examples to illustrate nonsingular and singular
transformations for n = 2

BITS Pilani, Hyderabad Campus

Reversible and irreversible mapping

BITS Pilani, Hyderabad Campus

Ideal Block Cipher

BITS Pilani, Hyderabad Campus

Encrption-decryption tables

BITS Pilani, Hyderabad Campus

Ideal block cipher - description

 Feistel refers to an n-bit general substitution as an ideal

block cipher, because it allows for the maximum number
of possible encryption mappings from the plaintext to
ciphertext block
 A 4-bit input produces one of 16 possible input states,
which is mapped by the substitution cipher into a unique
one of 16 possible output states, each of which is
represented by 4 ciphertext bits
 The encryption and decryption mappings can be defined
by a tabulation - a tiny 4-bit substitution to show that
each possible input can be arbitrarily mapped to any
output - which is why its complexity grows so rapidly

BITS Pilani, Hyderabad Campus

 Claude Shannon and Substitution-
Permutation Ciphers
• Claude Shannon introduced idea of substitution-
permutation (S-P) networks in a 1949 paper
• forms basis of modern block ciphers
• S-P nets are based on the two primitive
cryptographic operations seen before:
– substitution (S-box)
– permutation (P-box)
• provide confusion & diffusion of message & key

BITS Pilani, Hyderabad Campus

 Confusion and Diffusion
cipher needs to completely obscure statistical
properties of original message
a one-time pad does this
more practically Shannon suggested
combining S & P elements to obtain:
diffusion – dissipates statistical structure of
plaintext over bulk of ciphertext
confusion – makes relationship between
ciphertext and key as complex as possible

BITS Pilani, Hyderabad Campus

 Feistel Cipher Structure
• Horst Feistel devised the feistel cipher
– based on concept of invertible product cipher
• partitions input block into two halves
process through multiple rounds which
– perform a substitution on left data half
– based on round function of right half & subkey
– then have permutation swapping halves
• implements Shannon’s S-P net concept

BITS Pilani, Hyderabad Campus

Feistel Cipher Structure

BITS Pilani, Hyderabad Campus

Feistel Cipher Structure

data split in 2 halves, processed through a

number of rounds which perform a substitution
on left half using output of round function on
right half & key, and a permutation which swaps
halves

BITS Pilani, Hyderabad Campus

 Feistel Cipher Design Elements
• block size -> larger block size preferred
• key size -> larger key size preferred
• number of rounds (n) -> multiple rounds
preferred (16 usually)
• subkey generation algorithm -> greater
complexity preferred
• round function -> greater complexity
preferred
• fast software en/decryption
• ease of analysis
BITS Pilani, Hyderabad Campus
Feistel Cipher Decryption

BITS Pilani, Hyderabad Campus

Fiestel Cipher algorithm

BITS Pilani, Hyderabad Campus

BITS Pilani, Hyderabad Campus
 The process of decryption with a Feistel cipher, is
essentially the same as the encryption process
 The rule is as follows: Use the ciphertext as input to the
algorithm, but use the subkeys Ki in reverse order
 That is, use Kn in the first round, Kn–1 in the second
round, and so on until K1 is used in the last round
 This is a nice feature because it means we need not
implement two different algorithms, one for encryption
and one for decryption

BITS Pilani, Hyderabad Campus

Fiestel example (32 bit block, 24 bit key)

BITS Pilani, Hyderabad Campus

 Data Encryption Standard (DES)
• most widely used block cipher in world
• adopted in 1977 by NBS (now NIST)
– as FIPS PUB 46
• encrypts 64-bit data using 56-bit key;
Widespread use
• There is considerable controversy over its
security
• Algorithm is called DEA

BITS Pilani, Hyderabad Campus

 DES History
• IBM developed Lucifer cipher (Fiestel cipher)
– by team led by Feistel in late 60’s
– used 64-bit data blocks with 128-bit key
• redeveloped as a commercial cipher with
input from NSA and others
• in 1973 NBS issued request for proposals for a
national cipher standard
• IBM submitted their revised Lucifer which was
eventually accepted as the DES

BITS Pilani, Hyderabad Campus

 DES Design issues
• although DES standard is public, design issues
– in choice of 56-bit key (vs Lucifer 128-bit)
– and because design criteria were classified
• subsequent events and public analysis show in
fact design was appropriate
• use of DES has flourished
– especially in financial applications
– still standardised for legacy application use

BITS Pilani, Hyderabad Campus

Generic Depiction - DES Encryption

BITS Pilani, Hyderabad Campus

Details
The overall scheme for DES encryption takes as
input 64-bits of data and of key
 The left side shows the basic process for enciphering a 64-bit data
block which consists of:
 an initial permutation (IP) which shuffles the 64-bit input block
 16 rounds of a complex key dependent round function involving
substitutions & permutations
 a final permutation, being the inverse of IP
 The right side shows the handling of the 56-bit key and consists of:
 an initial permutation of the key (PC1) which selects 56-bits out of the
64-bits input, in two 28-bit halves
 16 stages to generate the 48-bit subkeys using a left circular shift and a
permutation of the two 28-bit halves

BITS Pilani, Hyderabad Campus

 Initial Permutation IP
• first step of the data computation
• IP reorders the input data bits
• even bits to LH half, odd bits to RH half
• quite regular in structure (easy in h/w)
• example:

IP(675a6967 5e5a6b5a) = (ffb2194d

004df6fb)

BITS Pilani, Hyderabad Campus

Permutation tables for DES

BITS Pilani, Hyderabad Campus

BITS Pilani, Hyderabad Campus
Single round DES algorithm

BITS Pilani, Hyderabad Campus

Interpretation of the P - tables
 The input to a table consists of 64 bits numbered left to
right from 1 to 64. The 64 entries in the permutation table
contain a permutation of the numbers from 1 to 64. Each
entry in the permutation table indicates the position of a
numbered input bit in the output, which also consists of
64 bits.
 the bit numbering for DES reflects IBM mainframe
practice, and is the opposite of what we now mostly use
Numbers from Bit 1 (leftmost, most significant) to bit
32/48/64 etc (rightmost, least significant).
 examples are specified using hexadecimal
 Here a 64-bit plaintext value of “675a6967 5e5a6b5a”
(written in left & right halves) after permuting with IP
becomes “ffb2194d 004df6fb” BITS Pilani, Hyderabad Campus
 DES Round Structure
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
• F takes 32-bit R half and 48-bit subkey:
– expands R to 48-bits using perm E
– adds to subkey using XOR
– passes through 8 S-boxes to get 32-bit result
– finally permutes using 32-bit perm P

BITS Pilani, Hyderabad Campus

F-function:stages
The F-function, operates on half a block (32 bits) at a time and consists of four
stages:
The Feistel function (F-function) of DES:
 Expansion: the 32-bit half-block is expanded to 48 bits using the expansion
permutation, denoted E in the diagram, by duplicating half of the bits. The
output consists of eight 6-bit (8 * 6 = 48 bits) pieces, each containing a copy of
4 corresponding input bits, plus a copy of the immediately adjacent bit from
each of the input pieces to either side.
 Key mixing: the result is combined with a subkey using an XOR operation.
Sixteen 48-bit subkeys—one for each round—are derived from the main key
using the key schedule (described below).
 Substitution: after mixing in the subkey, the block is divided into eight 6-bit
pieces before processing by the S-boxes, or substitution boxes. Each of the
eight S-boxes replaces its six input bits with four output bits according to a
non-linear transformation, provided in the form of a lookup table. The S-boxes
provide the core of the security of DES—without them, the cipher would be
linear, and trivially breakable.
 Permutation: finally, the 32 outputs from the S-boxes are rearranged according
to a fixed permutation, the P-box. This is designed so that, after permutation,
the bits from the output of each S-box in this round are spread across four
different S-boxes in the next round.
BITS Pilani, Hyderabad Campus
DES Round Structure

BITS Pilani, Hyderabad Campus

 Substitution Boxes S
• We have eight S-boxes which map 6 to 4 bits
• each S-box is actually 4 little 4 bit boxes
– outer bits 1 & 6 (row bits) select one row of 4
– inner bits 2-5 (col bits) are substituted
– result is 8 lots of 4 bits, or 32 bits
• The row selection depends on both data & key
– feature known as autoclaving (autokeying)
• example:
– S(18 09 12 3d 11 17 38 39) = 5fd25e03

BITS Pilani, Hyderabad Campus

BITS Pilani, Hyderabad Campus
 DES Key Schedule
• forms subkeys used in each round
– initial permutation of the key (PC1) which selects
56-bits in two 28-bit halves
– 16 stages consisting of:
• rotating each half separately either 1 or 2 places
depending on the key rotation schedule K
• selecting 24-bits from each half & permuting them by
PC2 for use in round function F

BITS Pilani, Hyderabad Campus

DES Key Schedule calculation

BITS Pilani, Hyderabad Campus

 DES Decryption
• decrypt must unwind steps of data computation
• with Feistel design, do encryption steps again using
subkeys in reverse order (SK16 … SK1)
– IP undoes final FP step of encryption
– 1st round with SK16 undoes 16th encrypt round
– ….
– 16th round with SK1 undoes 1st encrypt round
– then final FP undoes initial encryption IP
– thus recovering original data value

BITS Pilani, Hyderabad Campus

 Avalanche Effect
• A desirable property of any encryption algorithm is
that a small change in either the plaintext or the key
should produce a significant change in the ciphertext
• This is called avalanche effect
• In particular, a change in one bit of the plaintext or
one bit of the key should produce a change in many
bits of the ciphertext
• If the changes were small, this might provide a way
to reduce the size of the plaintext or key space to be
searched
• DES exhibits a strong avalanche effect
BITS Pilani, Hyderabad Campus
 Strength of DES – Key Size
 Security provided by DES in two areas: key size and the nature
of the algorithm
 With a key length of 56 bits, there are 256 possible keys, which
is approximately 7.2*1016 keys (brute-force attack)
 Demonstrated breaks of the DES using both large networks of
computers & dedicated h/w, include
 - 1997 on a large network of computers in a few months
 - 1998 on dedicated h/w (EFF) in a few days
 - 1999 above combined in 22hrs!
 It is important to note that there is more to a key-search
attack than simply running through all possible keys
 Alternatives to DES, the most important of which are AES and
triple DES BITS Pilani, Hyderabad Campus
 Strength of DES – Analytic Attacks
• several analytic attacks on DES
• these utilise some deep structure of the cipher (S-
boxes)
– by gathering information about encryptions
– can eventually recover some/all of the sub-key bits
– if necessary then exhaustively search for the rest
• generally these are statistical attacks
• include
– differential cryptanalysis
– linear cryptanalysis
– related key attacks

BITS Pilani, Hyderabad Campus

 Strength of DES – Timing Attacks
• Attacks actual implementation of cipher
• A timing attack is one in which information about the
key or the plaintext is obtained by observing how
long it takes a given implementation to perform
decryptions on various ciphertexts
• uses knowledge of consequences of implementation
to derive information about some/all subkey bits
• specifically uses the fact that calculations can take
varying times depending on the value of the inputs
to it; particularly problematic on smartcards
BITS Pilani, Hyderabad Campus
 Differential Cryptanalysis
• Biham & Shamir show Differential Cryptanalysis can
be successfully used to cryptanalyse the DES with an
effort on the order of 247 encryptions, requiring 247
chosen plaintexts. They also demonstrated this form
of attack on a variety of encryption algorithms and
hash functions
• Differential cryptanalysis influenced the design of the
S-boxes and the permutation P to improve its
resistance to it. Compare DES’s security with the
cryptanalysis of an eight-round LUCIFER algorithm
which requires only 256 chosen plaintexts, verses an
attack on an eight-round version of DES requires 214
chosen plaintexts
BITS Pilani, Hyderabad Campus
 Differential Cryptanalysis
• a statistical attack against Feistel ciphers
• uses cipher structure not previously used
• design of S-P networks has output of function
f influenced by both input & key
• hence we cannot trace values back through
cipher without knowing value of the key
• differential cryptanalysis compares two
related pairs of encryptions

BITS Pilani, Hyderabad Campus

 Differential Cryptanalysis Compares
Pairs of Encryptions
with a known difference in the input
searching for a known difference in output
when same subkeys are used
If a number of such differences are determined,
it is feasible to determine the subkey used in the
function f

BITS Pilani, Hyderabad Campus

 Differential Cryptanalysis
 The overall strategy of differential cryptanalysis is based on
these considerations for a single round
 The procedure is to begin with two plaintext messages m and m’
with a given difference and trace through a probable pattern of
differences after each round to yield a probable difference for
the ciphertext
 submit m and m’ for encryption to determine the actual
difference under the unknown key and compare the result to
the probable difference
 If there is a match, then suspect that all the probable patterns at
all the intermediate rounds are correct
 With that assumption, we can make some deductions about the
key bits
 This procedure must be repeated many times to determine all
BITS Pilani, Hyderabad Campus
Differential Cryptanalysis:
steps- ex:
 the propagation of differences through three rounds of
DES
 The probabilities shown on the right refer to the
probability that a given set of intermediate differences
will appear as a function of the input differences
 Overall, after three rounds the probability that the output
difference is as shown is equal to 0.25*1*0.25=0.0625.
Since the output difference is the same as the input, this
3 round pattern can be iterated over a larger number of
rounds, with probabilities multiplying to be successively
smaller

BITS Pilani, Hyderabad Campus

Differential Cryptanalysis

BITS Pilani, Hyderabad Campus

 Linear Cryptanalysis
This attack is based on finding linear approximations
to describe the transformations performed in DES
This method can find a DES key given 243 known
plaintexts, as compared to 247 chosen plaintexts for
differential cryptanalysis. Although this is a minor
improvement, because it may be easier to acquire
known plaintext rather than chosen plaintext, it still
leaves linear cryptanalysis infeasible as an attack on
DES
Again, this attack uses structure not seen before. So
far, little work has been done by other groups to
validate the linear cryptanalytic approach
BITS Pilani, Hyderabad Campus
Linear Cryptanalysis

 The objective of linear cryptanalysis is to find an effective

linear equation relating some plaintext, ciphertext and
key bits that holds with probability p<>0.5
 Once a proposed relation is determined, the procedure is
to compute the results of the left-hand side of the
equation for a large number of plaintext-ciphertext pairs,
in order to determine whether the sum of the key bits is 0
or 1, thus giving 1 bit of info about them
 This is repeated for other equations and many pairs to
derive some of the key bit values. Because we are
dealing with linear equations, the problem can be
approached one round of the cipher at a time, with the
results combined
BITS Pilani, Hyderabad Campus
 Linear Cryptanalysis
find linear approximations with prob p != ½
P[i1,i2,...,ia]  C[j1,j2,...,jb] =
K[k1,k2,...,kc]
where ia,jb,kc are bit locations in
P,C,K
gives linear equation for key bits, get one key
bit using max likelihood alg, using a large
number of trial encryptions
effectiveness given by: |p–1/2|

BITS Pilani, Hyderabad Campus

 DES Design Criteria
• as reported by Coppersmith in [COPP94]
• criteria for S-boxes provide for
– non-linearity
– resistance to differential cryptanalysis
– good confusion
• criteria for permutation P provide for
– increased diffusion

BITS Pilani, Hyderabad Campus

 Block cipher design criteria
 No output bit of any S-box should be too close a linear function of the input bits.
Specifically, if we select any output bit and any subset of the six input bits, the
fraction of inputs for which this output bit equals the XOR of these input bits
should not be close to 0 or 1, but rather should be near 1/2.
 Each row of an S-box (determined by a fixed value of the leftmost and rightmost
input bits) should include all 16 possible output bit combinations.
 If two inputs to an S-box differ in exactly one bit, the outputs must differ in at least
two bits.
 If two inputs to an S-box differ in the two middle bits exactly, the outputs must
differ in at least two bits.
 If two inputs to an S-box differ in their first two bits and are identical in their last
two bits, the two outputs must not be the same.
 For any nonzero 6-bit difference between inputs, no more than eight of the 32
pairs of inputs exhibiting that difference may result in the same output difference.
 This is a criterion similar to the previous one, but for the case of three S-boxes.

BITS Pilani, Hyderabad Campus

 Block Cipher Design
• basic principles still like Feistel’s in 1970’s
• number of rounds
– more is better, exhaustive search best attack
• function f:
– provides “confusion”, is nonlinear, avalanche
– have issues of how S-boxes are selected
• key schedule
– complex subkey creation, key avalanche

BITS Pilani, Hyderabad Campus

 Summary
– block vs stream ciphers
– Feistel cipher design & structure
– DES
• details
• strength
– Differential & Linear Cryptanalysis
– block cipher design principles

BITS Pilani, Hyderabad Campus